depot/nix/pkgs/pomerium/module.nix

{ depot, config, lib, pkgs, ... }:

with lib;

{
  options.services.pomerium = {
    enable = mkEnableOption "the Pomerium authenticating reverse proxy";

    bindLowPort = mkOption {
      type = with types; bool;
      default = true;
      description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443).";
    };

    configFile = mkOption {
      type = with types; path;
      description = "Path to Pomerium config file.";
    };

    secretsFile = mkOption {
      type = with types; path;
      description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format.";
    };
  };

  config = let cfg = config.services.pomerium; in mkIf cfg.enable {
    systemd.services.pomerium = {
      description = "Pomerium authenticating reverse proxy";
      wants = [ "network.target" ];
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        DynamicUser = true;
        ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";
        StateDirectory = "pomerium";

        PrivateUsers = !cfg.bindLowPort;  # breaks CAP_NET_BIND_SERVICE

        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;
        DevicePolicy = "closed";
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectKernelLogs = true;
        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        MemoryDenyWriteExecute = true;
        LockPersonality = true;

        EnvironmentFile = cfg.secretsFile;
        AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
        CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
        Restart = "on-failure";
        RestartSec = "2s";
      };
    };
  };
}
etheroute-lon01: install pomerium 2020-12-28 14:08:24 +00:00			`{ depot, config, lib, pkgs, ... }:`

			`with lib;`

			`{`
			`options.services.pomerium = {`
			`enable = mkEnableOption "the Pomerium authenticating reverse proxy";`

			`bindLowPort = mkOption {`
			`type = with types; bool;`
			`default = true;`
			`description = "If true, allows Pomerium to bind low-numbered ports (e.g. 80 and 443).";`
			`};`

			`configFile = mkOption {`
			`type = with types; path;`
			`description = "Path to Pomerium config file.";`
			`};`

			`secretsFile = mkOption {`
			`type = with types; path;`
			`description = "Path to file containing secrets for Pomerium, in systemd EnvironmentFile format.";`
			`};`
			`};`

			`config = let cfg = config.services.pomerium; in mkIf cfg.enable {`
			`systemd.services.pomerium = {`
			`description = "Pomerium authenticating reverse proxy";`
			`wants = [ "network.target" ];`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`

			`serviceConfig = {`
			`DynamicUser = true;`
			`ExecStart = "${depot.pkgs.pomerium}/bin/pomerium -config ${cfg.configFile}";`
			`StateDirectory = "pomerium";`

			`PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE`

			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
			`DevicePolicy = "closed";`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`ProtectControlGroups = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelLogs = true;`
			`RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`MemoryDenyWriteExecute = true;`
			`LockPersonality = true;`

			`EnvironmentFile = cfg.secretsFile;`
			`AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];`
			`CapabilityBoundingSet = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];`
			`Restart = "on-failure";`
			`RestartSec = "2s";`
			`};`
			`};`
			`};`
			`}`